Windows trusted code signing (#778)

coronalabs · Feb 9, 2025 · 2a0e377 · 2a0e377
1 parent bebe3d0
commit 2a0e377
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 71 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -3,26 +3,24 @@ name: Daily Build
 on:
   push:
     tags:
-      - '*'
+      - "*"
   workflow_dispatch:
     inputs:
       buildNumber:
-        description: 'Build Number'
+        description: "Build Number"
         required: true
-        default: '9999'
+        default: "9999"
       buildYear:
-        description: 'Build Year'
+        description: "Build Year"
         required: true
-        default: '2100'
-
+        default: "2100"
 
 env:
   WORKSPACE: ${{ github.workspace }}
   DEVELOPER_DIR: /Applications/Xcode_16.2.app/Contents/Developer
   BUILD_NUMBER: ${{ github.event.inputs.buildNumber }}
   YEAR: ${{ github.event.inputs.buildYear }}
 
-
 jobs:
   source-code:
     name: Check out and process source code
@@ -41,7 +39,6 @@ jobs:
           name: SourceCode
           path: ./output
 
-
   native:
     needs: source-code
     runs-on: macos-15
@@ -109,7 +106,6 @@ jobs:
           name: Templates-${{ matrix.platform }}-${{ matrix.xcode }}-${{ matrix.target }}
           path: ./output
 
-
   Xcode-template-matrix-13:
     strategy:
       matrix:
@@ -152,7 +148,6 @@ jobs:
           name: Templates-${{ matrix.platform }}-${{ matrix.xcode }}-${{ matrix.target }}
           path: ./output
 
-
   collect-ios-templates:
     needs:
       - Xcode-template-matrix-13
@@ -178,7 +173,6 @@ jobs:
           name: Collected-ios-templates
           path: ./output
 
-
   webtemplate:
     needs:
       - source-code
@@ -260,7 +254,6 @@ jobs:
           name: Snap
           path: ./output/*.snap
 
-
   linux-flatpak:
     needs:
       - source-code
@@ -303,7 +296,6 @@ jobs:
           name: Flatpak
           path: ./solar2d.flatpak
 
-
   CoronaCards-Android:
     needs: native
     runs-on: ubuntu-20.04
@@ -330,7 +322,6 @@ jobs:
           name: CoronaCards-Android
           path: ./output
 
-
   CoronaCards-iOS:
     needs: source-code
     runs-on: macos-14
@@ -357,7 +348,6 @@ jobs:
           name: CoronaCards-iOS
           path: ./output
 
-
   CoronaCards-iOS-angle:
     needs: source-code
     runs-on: macos-14
@@ -489,7 +479,6 @@ jobs:
           echo "Notarization failed"
           exit 1
 
-
   check-notarization:
     runs-on: macos-14
     steps:
@@ -512,8 +501,6 @@ jobs:
           APPLE_KEY_ID: ${{ secrets.AppleKeyId }}
           APPLE_ISSUER: ${{ secrets.AppleIssuer }}
 
-
-
   Windows-Simulator:
     needs:
       - source-code
@@ -592,6 +579,12 @@ jobs:
         run: |
           curl -sL https://github.com/coronalabs/binary-data/releases/download/1.0/redist.win32.7z -o redist.win32.7z
           7z x redist.win32.7z -o"platform/windows/Bin/redist" -y
+      - name: Install Codesigning Tools
+        shell: cmd
+        run: |
+          choco install dotnet-8.0-runtime --no-progress
+          nuget install Microsoft.Windows.SDK.BuildTools -Version 10.0.22621.3233 -x
+          nuget install Microsoft.Trusted.Signing.Client -Version 1.0.53 -x
       - name: Build Corona Simulator
         shell: cmd
         run: |
@@ -601,7 +594,9 @@ jobs:
           call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Auxiliary\Build\vcvars32.bat"
           devenv "Corona.SDK.sln" /rebuild "Release|x86"
         env:
-          WIN_CERT_PASSWORD: ${{ secrets.WinCertPassword }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
       - name: Copy Simulator
         run: |
           mkdir output
@@ -613,7 +608,6 @@ jobs:
           name: Simulator-Windows
           path: ./output
 
-
   publish-snap:
     runs-on: ubuntu-20.04
     needs:
@@ -641,7 +635,6 @@ jobs:
           snap: ./Snap/s2d.snap
           release: ${{ env.SNAP_RELEASE }}
 
-
   release:
     if: startsWith(github.ref, 'refs/tags')
     permissions:
@@ -708,7 +701,6 @@ jobs:
           name: Solar2D ${{ env.YEAR }}.${{ env.BUILD }}
           generate_release_notes: true
 
-
   notify-chats:
     if: startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-20.04

diff --git a/platform/windows/Build.Tools/CoronaLabsInc.Sign.bat b/platform/windows/Build.Tools/CoronaLabsInc.Sign.bat
@@ -1,51 +1,16 @@
-@echo off
+@echo on
 REM ---------------------------------------------------------------------------------------
-REM Batch file used to digitally sign a given file with Corona Labs' certificate.
+REM Sign a given file with Solar2D certificate.
 REM ---------------------------------------------------------------------------------------
 
-if NOT EXIST "%~dp0CoronaLabsInc.pfx" goto :OnSkipSigning
-if "%WIN_CERT_PASSWORD%"=="" goto :OnSkipSigning
+if "%AZURE_CLIENT_SECRET%"=="" goto :OnSkipSigning
 
-REM Validate arguments. If incorrect, then echo out how to use this batch file.
-if "%~1"=="" goto OnShowCommandLineHelp
-
-
-REM Attempt to fetch the optional 2nd argument "Program Name".
 if NOT "%~2"=="" set programNameArgument=/d "%~2"
 
-REM Set up command line tools if not available
-echo Setup command line
-call "%~dp0VSVars.bat"
-
-REM Digitally sign the given file.
-echo Digitally signing file: %~1
-
-signtool sign /fd sha1 /f "%~dp0CoronaLabsInc.pfx" /p "%WIN_CERT_PASSWORD%" /t http://timestamp.digicert.com %programNameArgument% "%~1"
-if errorlevel 0 goto:eof
-echo "Signin failed. Using fallback timestamp server 1!"
-signtool sign /fd sha1 /f "%~dp0CoronaLabsInc.pfx" /p "%WIN_CERT_PASSWORD%" /t http://timestamp.verisign.com/scripts/timestamp.dll %programNameArgument% "%~1"
-if errorlevel 0 goto:eof
-echo "Signin failed. Using fallback timestamp server 2!"
-signtool sign /fd sha1 /f "%~dp0CoronaLabsInc.pfx" /p "%WIN_CERT_PASSWORD%" /t http://timestamp.globalsign.com/scripts/timestamp.dll %programNameArgument% "%~1"
-if errorlevel 0 goto:eof
-echo "Signin failed. Using fallback timestamp server 3!"
-signtool sign /fd sha1 /f "%~dp0CoronaLabsInc.pfx" /p "%WIN_CERT_PASSWORD%" /t http://tsa.starfieldtech.com %programNameArgument% "%~1"
-if errorlevel 0 goto:eof
-echo "Signin failed. Using fallback timestamp server 4!"
-signtool sign /fd sha1 /f "%~dp0CoronaLabsInc.pfx" /p "%WIN_CERT_PASSWORD%" /t http://timestamp.geotrust.com/tsa %programNameArgument% "%~1"
-if errorlevel 0 goto:eof
-echo "NO TIMESTAMP FALLBACK WORKED!"
-exit /b 1
-goto:eof
-
 
-:OnShowCommandLineHelp
-echo Signs a given file with Corona Labs' digital certificate.
-echo.
-echo Usage:    CoronaLabsInc.Sign.bat [FilePath] [ProgramName]
-echo   [FilePath]         Path to the file that you want to digitally sign.
-echo   [ProgramName]      Optional: Program name to be displayed in the UAC prompt.
-exit /b 1
+"%WORKSPACE%\Microsoft.Windows.SDK.BuildTools\bin\10.0.22621.0\x86\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "%WORKSPACE%\Microsoft.Trusted.Signing.Client\bin\x86\Azure.CodeSigning.Dlib.dll" /dmdf "%WORKSPACE%/platform/windows/Build.Tools/solar2d.json" %programNameArgument% "%~1"
+goto :End
 
 :OnSkipSigning
 echo Skipping singing becaues password or key is not found
+:End
diff --git a/platform/windows/Build.Tools/solar2d.json b/platform/windows/Build.Tools/solar2d.json
@@ -0,0 +1,5 @@
+{
+  "Endpoint": "https://eus.codesigning.azure.net",
+  "CodeSigningAccountName": "Solar2D",
+  "CertificateProfileName": "Solar2D"
+}
diff --git a/platform/windows/README.md b/platform/windows/README.md
@@ -1,18 +1,20 @@
-
 # Building for Windows Desktop
 
 ## Prerequisites:
+
 You must install the following before building Corona Labs' Win32 software.
-- Visual Studio 2019 Community Edition
-  * Make sure to install C++ components for 140 toolset, as well as 141 CLI, ATL, MFC and XP Tools
-- WiX Toolset v3.10  (Needed to build the install program)
-  * Installer can be found at:  corona\tools\Wix
 
+- [Visual Studio 2019 Community Edition](https://aka.ms/vs/16/release/vs_community.exe)
+  - Select Native Development workload
+  - Add individual components:
+    - C++ Windows XP Support for VS 2017 (v141) tools [Deprecated]
+    - C++ MFC for v141 build tools (x86 & x64)
 
 ## How to build "Corona Simulator":
+
 - Double click on "Corona.Simulator.sln" file.
-  * Solution file is used to build and debug Corona Simulator software.
-  * Outputs to:
+
+  - Solution file is used to build and debug Corona Simulator software.
+  - Outputs to:
 
         .\platform\windows\bin\Corona
-